The on-going deregulation in worldwide energy distribution markets is driving the need for smart utility distribution grids and smart meters, enabling both utility providers and consumers to monitor the detailed consumption of an end user at any time through open communication networks. The energy market is particularly concerned as of today but related issues are also relevant to other utility markets such as water or gas.
While a number of legacy meters already implement some point-to-point automated reading protocols using for instance standard optical or modem interfaces, they are not able to interact with either the end user home area network devices or the remote utility monitoring facilities using wireless or power line communication networks. The industry answer to this regulatory requirement in the next decade will therefore consist in swapping the legacy meters for so-called smart meters, which raises tremendous costs for the utility vendors and the consumers in the end.
Moreover, the resulting dependency of the basic metering functionality on remote communication messages raises significant concerns on the effective robustness to software bugs as well as emerging threats such as smart grid worms and viruses taking advantage of smart meter security design flaws that may not be known at the time of deployment, but may become critical later. This is particularly evident in the case of the remote disconnect feature, as a major disruption target for cyber-terrorism but also a possible entry point for local thieves as a way to disconnect some house alarms from their power source.
In practice, today's security designs for smart grids and smart meters are largely inspired by the telecommunication industry and a large part of them is subject to emerging standardization by international committees such as ANSI or IEC. However the requirements are very different, as telecommunication end devices such as mobile phones, set-top-boxes or even television receivers seldom exceed an operational lifetime of 10 to 20 years. In contrast, metering equipment is typically installed at the time of a house building and meant to last at least 20 years, if not 50 to 100 years.
Once the standard specifications are defined, it is no longer possible to update the design (for instance, cryptographic algorithms, key lengths and key management systems) without breaking compliance, which is a major issue in deregulated markets where any metering device model from any manufacturer needs to operate with any utility provider infrastructure and this possibly for the next 50 to 100 years.
There is therefore a need for alternative solutions clearly separating the advanced but complex and security sensitive monitoring functionality from the basic but proven utility delivery and consumption measurement functionality. In this approach, the fully operational legacy meters do not need to be upgraded, which also helps saving upgrade costs and smart meter manufacturing energy.
Separation of the remote monitoring functionality from the basic legacy metering functionality typically requires a detachable monitoring device, including at least:                A reader sensor interface to be connected to the legacy meter display or electrical reading interface (serial, optical etc).        A memory to buffer the utility usage information prior to reporting it.        One or several network communication interfaces to report back the data to either the utility network and/or the end user home area network, in compliance with existing regulations and relevant technical standards.        A processor in charge with monitoring the reading, storing and reporting operations.        
Such detachable monitoring solutions and associated data management systems have already been described, for instance in WO07134397 or GB 2460517. Some related devices are also now commercialized for instance by PilotSystems (http://www.pilotsystems.com) and Xemtec (http://www.xemtec.ch), but none of this prior art addresses the security enforcement functionality.
In order to fully address the utility usage consumption hacking threat, it is important to prevent hacking on all individual components in the end-to-end communication chain. As opposed to smart meters, legacy meters LM as the first component in the end-to-end communication chain have no interfaces to open networks, so their hacking requires a local mechanical operation with certain safety and tamper evidence concerns, as meters are typically sealed by utility vendors everywhere in the world. On the other end of the chain, state of the art cryptographic design is applied to communications between the monitoring module and the utility infrastructure over open networks, but this security is just as secure as the secrecy of underlying keys. A tamper proof design on the monitoring module device side is therefore of primary importance.